chore: Update grant examples in all resources (#2660)

- Removed all deprecated examples (using deprecated `_grant` resources) from the non-deprecated resources/datasources (only one). - Removed using deprecated `_grant` and `_grants` resources from resource and datasource acceptance tests (only from the non-deprecated resources/datasources). - Added migration guide to the readme.
Snowflake-Labs · Mar 29, 2024 · b542b69 · b542b69
1 parent 16c75b0
commit b542b69
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 56 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ This is a terraform provider for managing [Snowflake](https://www.snowflake.com/
 - [Snowflake Terraform Provider](#snowflake-terraform-provider)
   - [Table of contents](#table-of-contents)
   - [Getting started](#getting-started)
+  - [Migration guide](#migration-guide)
   - [Roadmap](#roadmap)
   - [Getting Help](#getting-help)
   - [Additional debug logs for `snowflake_grant_privileges_to_role` resource](#additional-debug-logs-for-snowflake_grant_privileges_to_role-resource)
@@ -54,6 +55,10 @@ Don't forget to run `terraform init` and you're ready to go! 🚀
 
 Start browsing the [registry docs](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs) to find resources and data sources to use.
 
+## Migration guide
+
+Please check the [migration guide](./MIGRATION_GUIDE.md) when changing the version of the provider.
+
 ## Roadmap
 
 Check [Roadmap](./ROADMAP.md).

diff --git a/docs/resources/stage.md b/docs/resources/stage.md
@@ -19,14 +19,6 @@ resource "snowflake_stage" "example_stage" {
   schema      = "EXAMPLE_SCHEMA"
   credentials = "AWS_KEY_ID='${var.example_aws_key_id}' AWS_SECRET_KEY='${var.example_aws_secret_key}'"
 }
-
-resource "snowflake_stage_grant" "grant_example_stage" {
-  database_name = snowflake_stage.example_stage.database
-  schema_name   = snowflake_stage.example_stage.schema
-  roles         = ["LOADER"]
-  privilege     = "OWNERSHIP"
-  stage_name    = snowflake_stage.example_stage.name
-}
 ```
 
 <!-- schema generated by tfplugindocs -->

diff --git a/examples/resources/snowflake_stage/resource.tf b/examples/resources/snowflake_stage/resource.tf
@@ -6,11 +6,3 @@ resource "snowflake_stage" "example_stage" {
   schema      = "EXAMPLE_SCHEMA"
   credentials = "AWS_KEY_ID='${var.example_aws_key_id}' AWS_SECRET_KEY='${var.example_aws_secret_key}'"
 }
-
-resource "snowflake_stage_grant" "grant_example_stage" {
-  database_name = snowflake_stage.example_stage.database
-  schema_name   = snowflake_stage.example_stage.schema
-  roles         = ["LOADER"]
-  privilege     = "OWNERSHIP"
-  stage_name    = snowflake_stage.example_stage.name
-}
diff --git a/pkg/datasources/system_generate_scim_access_token_acceptance_test.go b/pkg/datasources/system_generate_scim_access_token_acceptance_test.go
@@ -40,27 +40,24 @@ func generateAccessTokenConfig(name string) string {
 		comment = "test comment"
 	}
 
-	resource "snowflake_account_grant" "azurecud" {
-		roles     = [snowflake_role.azured.name]
-		privilege = "CREATE USER"
+	resource "snowflake_grant_privileges_to_account_role" "azure_grants" {
+	  	account_role_name = snowflake_role.azured.name
+  		privileges        = ["CREATE USER", "CREATE ROLE"]
+		on_account        = true
 	}
-	resource "snowflake_account_grant" "azurecrd" {
-		roles     = [snowflake_role.azured.name]
-		privilege = "CREATE ROLE"
-	}
-	resource "snowflake_role_grants" "azured" {
-		role_name = snowflake_role.azured.name
-		roles = ["ACCOUNTADMIN"]
+
+	resource "snowflake_grant_account_role" "azured" {
+		role_name        = snowflake_role.azured.name
+		parent_role_name = "ACCOUNTADMIN"
 	}
 
 	resource "snowflake_scim_integration" "azured" {
 		name = "%s"
 		scim_client = "AZURE"
 		provisioner_role = snowflake_role.azured.name
 		depends_on = [
-			snowflake_account_grant.azurecud,
-			snowflake_account_grant.azurecrd,
-			snowflake_role_grants.azured
+			snowflake_grant_privileges_to_account_role.azure_grants,
+			snowflake_grant_account_role.azured
 		]
 	}
 

diff --git a/pkg/resources/file_format_acceptance_test.go b/pkg/resources/file_format_acceptance_test.go
@@ -70,12 +70,10 @@ func TestAcc_FileFormatCSV(t *testing.T) {
 			},
 			// IMPORT
 			{
-				ResourceName:      "snowflake_file_format.test",
-				ImportState:       true,
-				ImportStateVerify: true,
-				ImportStateVerifyIgnore: []string{
-					"enable_multiple_grants", // feature flag attribute not defined in Snowflake, can't be imported
-				},
+				ResourceName:            "snowflake_file_format.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{},
 			},
 		},
 	})

diff --git a/pkg/resources/scim_integration_acceptance_test.go b/pkg/resources/scim_integration_acceptance_test.go
@@ -51,19 +51,15 @@ func scimIntegrationConfigAzure(name string, role string, policy string) string
 		comment = "test comment"
 	}
 
-	resource "snowflake_account_grant" "azurecua" {
-		roles     = [snowflake_role.azure.name]
-		privilege = "CREATE USER"
+	resource "snowflake_grant_privileges_to_account_role" "azure_grants" {
+	  	account_role_name = snowflake_role.azure.name
+  		privileges        = ["CREATE USER", "CREATE ROLE"]
+		on_account        = true
 	}
 
-	resource "snowflake_account_grant" "azurecra" {
-		roles     = [snowflake_role.azure.name]
-		privilege = "CREATE ROLE"
-	}
-
-	resource "snowflake_role_grants" "azure" {
-		role_name = snowflake_role.azure.name
-		roles = ["ACCOUNTADMIN"]
+	resource "snowflake_grant_account_role" "azure" {
+		role_name        = snowflake_role.azure.name
+		parent_role_name = "ACCOUNTADMIN"
 	}
 
 	resource "snowflake_network_policy" "azure" {
@@ -77,9 +73,8 @@ func scimIntegrationConfigAzure(name string, role string, policy string) string
 		provisioner_role = snowflake_role.azure.name
 		network_policy = snowflake_network_policy.azure.name
 		depends_on = [
-			snowflake_account_grant.azurecua,
-			snowflake_account_grant.azurecra,
-			snowflake_role_grants.azure
+			snowflake_grant_privileges_to_account_role.azure_grants,
+			snowflake_grant_account_role.azure
 		]
 	}
 	`, role, policy, name)

diff --git a/pkg/resources/view_acceptance_test.go b/pkg/resources/view_acceptance_test.go
@@ -492,16 +492,17 @@ resource "snowflake_role" "test" {
   name = "test"
 }
 
-resource "snowflake_view_grant" "grant" {
-  database_name = "%[1]s"
-  schema_name = "%[2]s"
-  view_name = snowflake_view.test.name
-  privilege = "SELECT"
-  roles = [snowflake_role.test.name]
+resource "snowflake_grant_privileges_to_account_role" "grant" {
+  privileges        = ["SELECT"]
+  account_role_name = snowflake_role.test.name
+  on_schema_object {
+    object_type = "VIEW"
+    object_name = "\"%[1]s\".\"%[2]s\".\"${snowflake_view.test.name}\""
+  }
 }
 
 data "snowflake_grants" "grants" {
-  depends_on = [snowflake_view_grant.grant, snowflake_view.test]
+  depends_on = [snowflake_grant_privileges_to_account_role.grant, snowflake_view.test]
   grants_on {
     object_name = "\"%[1]s\".\"%[2]s\".\"${snowflake_view.test.name}\""
     object_type = "VIEW"